Researchers Develop ‘End-to-Middle’ Proxy System to Evade Censorship

As state-level censorship continues to grow in various countries around the globe in response to political dissent and social change, researchers have begun looking for news ways to help Web users get around these restrictions. Now, a group of university researchers has developed an experimental system called Telex that replaces the typical proxy architecture with a scheme that hides the fact that the users is even trying to communicate at all.

The Telex system is the work of J. Alex Halderman and two other researchers at the University of Michigan, and Ian Goldberg of the University of Waterloo, and it has a couple of fundamental differences from other anti-censorship or anonymity tools such as Tor or proxy networks. The key innovation in Telex is that it uses “stations” installed at ISPs to recognize and reroute specially tagged requests from clients trying to reach censored sites.

Those requests also are completely hidden from censors because it is part of an established HTTPS connection to a benign site that the censor or government allows. That connection is used as a red herring to prevent the censor from even seeing the other connection request. Each user would have a copy of the Telex client on his or her machine, which would generate the requests and insert the secret tags in them.

“The client secretly marks the connection as a Telex request by
inserting a cryptographic tag into the headers. We construct this tag
using a mechanism called public-key steganography. This means anyone can
tag a connection using only publicly available information, but only
the Telex service (using a private key) can recognize that a connection
has been tagged,” Halderman, an assistant professor at Michigan, wrote in a blog post announcing Telex.

“As the connection travels over the Internet en route to the
non-blacklisted site, it passes through routers at various ISPs in the
core of the network. We envision that some of these ISPs would deploy
equipment we call Telex stations. These devices hold a private key that
lets them recognize tagged connections from Telex clients and decrypt
these HTTPS connections. The stations then divert the connections to
anti­censorship services, such as proxy servers or Tor entry points,
which clients can use to access blocked sites. This creates an
encrypted tunnel between the Telex user and Telex station at the ISP,
redirecting connections to any site on the Internet.”

Governments and other orgnaizations interested in censoring the sites that their users can access have become quite adept at detecting circumvention methods and finding the addresses of the proxy servers that other anonymity systems use, making it difficult–and in some cases, dangerous–for people to use them. Telex is designed to help alleviate this problem by using proxy servers that for all intents and purposes don’t have public IP addresses that are discoverable by outsiders.

“The kernel of the idea was to do something in the middle of the network,” Halderman said in an interview. “Working out how to do it with the ISPs is one of the hard parts. It was an idea that had a lot of contours that needed to be thought out and fleshed out because it is so different from the existing proxy-based tools out there.”

Goldberg, of the University of Waterloo in Canada, is the former chief scientist at Zero-Knowledge Systems, creators of the pioneering privacy and anonymity system, Freedom.

The Telex system is in the experimental stage, but Halderman wrote that he and his fellow researchers have been using it via a Telex station in their lab for a few months now and it’s worked as designed. The researchers, who also include Halderman’s graduate students Eric Wustrow and Scott Wolchok, plan to present their research on Telex at Usenix Security 2011 next month.

About Dennis Fisher

Dennis Fisher is a journalist with more than 13 years of experience covering information security.

Comments (20)

Wouldn’t the ISP then still have a log of where the client visited? This is still insecure, as ISP’s are regularly forced to reveal traffic. Furthermore, what ISP in a hostile government would want or seek additional risk to themselves?

The problem is real and the premise that you don’t even want them to know you are trying to make a secret communication is absolutely critical. How many people in China are slaughtered year over year for such things? With 1,000+ mobile death vehicles produced per year, obviously a hell of a lot of people (in China).

But you also need to hide the local client application. It’s better there were no persistent client application. Why not use a javascript client that disposes of itself? Stenographic methods are obviously key toward hiding that a communication has occured. Open cryptography is a lure to zero them in on you. Basically, one might use a compression technique to specify a message with extracted components from a mix of web pages from a single google search term. I would always provide separate messages to each individual–except when testing the trustworthiness of the receiving agent or using it as a lure to find those seeking you out.

So you expect non-blacklisted sites to install software on their back-end to support this encrypted tor-like anonymous service? Good luck with that. Even if you manage to do this, you still have to deal with the fact that these non-blacklisted sites will soon quickly get blacklisted as well for providing a proxy service to blacklisted sites.

This is a bit useless as it stands and doesn’t even really seem to be new technology. Our firewall can do SSL proxy. Put it at the ISP and call it a Telex and whats the difference.

I agree with the above users that once the hostile country gets a hold of the software it becomes obsolete and jeopardizes all of the users. I’ve though about it for a while and there has to be something unique to the client for this to work. some kind of private key there as well that corresponds to a key on the telex. Then, an alogorythim needs to be embedded in the server and client that rotates key pairs on a per client basis. It’s a lot more storage and processing but it safe unless the hostile country just barges over and invades the ISP.

Actually thinking further…this only works for a single server implementation. The difference is the rotating keys on the server…but if all server have the same rotating key it is still “circumventable”. I don’t even know if it is possible, but the telex system would need to identify its traffic and then a network of of telex devices would have to be built all with their own keys/algs and secure communication chanels between them so that the telex client is redirected to the telex server that built that particular client ad has the matching private. That way no two “Telex” will ever have the same private key and if your local telex goes down you can just get a client from another.

Maybe we should just take a more direct route toward stopping global oppression?

In iran, the government has decided to categorize all encrypted connections to legal and illegal ones. So all sorts of anti-censor softwares like this will not work unless their connections feet in legal (white-list) part.

ISP would have a log but that ISP can be anywhere connections from the “hostile country” are allowed to reach. So for an example ISP outside the China could reroute requests to a host in their network to a host that is censored in China.

This in effect would NOT be an anonymity system, rather way to circumvent state censorship.

The Telex station does not have to be in the country where the user is located and therefore it could be out of reach for the government of that user. It could be at the same (benign, foreign) site that the user is visiting, or it could be anywhere in-between. The thing is that you could not tell from looking at the paquets that come in and out of the client’s machine because the paquets are seemingly going to a benign web site and are encrypted.

The only way to tell would be to actually install the Telex client and do the same thing while tracerouting the paquets to see what nodes they go through. By comparing the routes used by a “normal benign” paquet and an encrypted Telex paquet, I guess that you could tell which node re-routed the Telex paquet.

“The Telex station does not have to be in the country where the user is
located and therefore it could be out of reach for the government of
that user. It could be at the same (benign, foreign) site that the user
is visiting, or it could be anywhere in-between.”

If the user is in-country, and the ISP serving him is in-country, then all the repressive regiem has to do is force the in-country ISP to install this Telex thingy and the users are caught.

” …because the paquets are seemingly going to a benign web site and are encrypted.”

And the Telex intermediate can decrypt them and know where they are really intended for.

This system depends on the bad guys not being able to get a copy of the software for themselves. Rather naive, I think.

You’ll have to provide some backing for the numbers you cite since
best I found so far was an unconfirmed estimate of 40 execution vans in operation;
quite the different number of 1000+ produced each year. Unless you ment
regular cars, and then the number is closer to billions produced each year, and thousands of deadly accidents each year. But those generally don’t count as “oppression by the government”.

Killing political activists tends to upset people, not to mention other governments. So actual deaths over politics in China now-a-days is probably somewhat less than actual deaths due to, say, corruption. There are plenty of other ways to pester the pesky plebs.

I’m more concerned about adversary governments running honeypot stations and using your use of a client as proof of subversive intent.

In order for a copy of Telex to be able to determine if a packet is a telex packet, the server must have the private key that the packet was encrypted to. Therefore, each client instance will encrypt for a specific server instance, other server copies will not be able to tell that there is a client at all.

Recommended Reads

Collaboration providers Slack disclosed that a database storing its user profile information has been breached. The break-in has been stopped, and Slack announced that it has implemented two-factor authentication going forward.

A group of technology companies, non-profits and privacy and human rights organizations have sent a letter to President Barack Obama, the director of national intelligence and a wide range of Congressional leaders, calling for an end to the bulk collection of phone metadata under Section 215 of the USA PATRIOT Act.

The Final Say

There are a great many beautiful and unusual towns and cities in the world, there are volcanoes, there are valleys and canyons, and islands and lakes. There are also of course rivers: loads of them ...

One of the big trends in sphere of health and fitness are fitness trackers such as smartbands. Tracking devices and their mobile applications from three leading vendors were inspected in this report t...

Android smartphones and tablets are very popular among students for several reasons. First, they are relatively affordable. Second, they are flexible, so users can choose the most suitable set-up for ...